Vault Agent with Kubernetes - getting connection refused error

urmilaB4 · September 8, 2020, 6:48am

I am trying the sample example Vault Agent Auto-Auth using the kubernetes auth method. I have followed all the steps given in [Vault Agent with Kubernetes | Vault | HashiCorp Developer] but while login request getting connection refused.

I have configured K8s using below commands -

export VAULT_SA_NAME=$(sudo kubectl get sa vault-auth-k8s -n namespace1 -o jsonpath=“{.secrets[*][‘name’]}”)

export SA_JWT_TOKEN=(sudo kubectl get secret -n namespace1$VAULT_SA_NAME -o jsonpath=“{.data.token}” | base64 --decode; echo)

export SA_CA_CRT=$(sudo kubectl get secret -n namespace1$VAULT_SA_NAME -o jsonpath=“{.data[‘ca.crt’]}” | base64 --decode; echo)

export K8S_HOST=“127.0.0.1” ##Using k3s so using kubernetes host address as 127.0.0.1

curl
–header “X-Vault-Token: $VAULT_TOKEN”
–request POST
–data ‘{“type”: “kubernetes”}’
http://X.X.X.X:8200/v1/sys/auth/kubernetes

sudo kubectl exec vault-0 -n namespace1 – vault write auth/kubernetes/config
token_reviewer_jwt=“$SA_JWT_TOKEN”
kubernetes_host=“https://$K8S_HOST:8443”
kubernetes_ca_cert=“$SA_CA_CRT”

sudo kubectl exec vault-0 -n namespace1 – vault write auth/kubernetes/role/example
bound_service_account_names=vault-auth-k8s
bound_service_account_namespaces=namespace1
policies=myapp-k8svl-ro
ttl=240h

TOKEN=$(sudo kubectl get secrets -n namespace1 -o jsonpath=“{.items[?(@.metadata.annotations[‘kubernetes.io/service-account.name’]==‘vault-auth-k8s’)].data.token}”|base64 --decode)

curl --request POST --data ‘{“jwt”: "’“$TOKEN”‘", “role”: “example”}’ http://X.X.X.X:8200/v1/auth/kubernetes/login

Once we run the above command getting error (error displayed in vault-0) -
[ERROR] auth.kubernetes.auth_kubernetes_e415b64a: login unauthorized due to: Post [https://127.0.0.1:8443/apis/authentication.k8s.io/v1/tokenreviews:] dial tcp 127.0.0.1:8443: connect: connection refused

Please help if any configuration is missing or have done any wrong configurations.
Using vault port as 8200 and K8s host port as 8443

mirkop-mattr · September 8, 2020, 8:10pm

Hi, any chance you can reformat the post? It’s quite hard to read.
I have not used k3s much, but could it be that when you are in the context of your vault pod, the kubernetes api is not exposed under localhost hence you get a connection refused?

urmilaB4 · September 9, 2020, 6:38am

Hi,
Thanks for the reply. I have modified my post and hope so it is more readable now. My all pods(including Vault) are in same kubernetes node as I am doing it localy on my machine.
But if I run the following commands I am able to access K8s apis on same machine.

TOKEN=$(sudo kubectl get secrets -o jsonpath=“{.items[?(@.metadata.annotations[‘kubernetes.io/service-account.name’]==‘default’)].data.token}”|base64 --decode)

curl -X GET https://127.0.0.1:6443/apis --header “Authorization: Bearer $TOKEN” --insecure
Curl command Output:
{
“kind”: “APIGroupList”,
“apiVersion”: “v1”,
“groups”: [
{
“name”: “apiregistration.k8s.io”,
“versions”: [
{
“groupVersion”: “apiregistration.k8s.io/v1”,
“version”: “v1”
},
{
“groupVersion”: “apiregistration.k8s.io/v1beta1”,
“version”: “v1beta1”
}
], … *omitted due to long output

When I use the same url through vault then getting connection refused error.

Topic		Replies	Views
Vault-AutoAuth Minikube Configureation issue as per official page Vault k8s , vault	0	404	February 3, 2021
Vault agent unable to authenticate in new Kubernetes cluster Vault k8s	4	3383	August 19, 2021
Vault Injector Not Authorized in Vault-Agent-Init Container Logs Vault connect , vault	0	607	August 9, 2023
Permission denied when authenticating pod to external vault service running on gke Vault	0	395	October 6, 2020
Kubernetes Authentication denied Vault k8s	16	13889	April 10, 2023

Vault Agent with Kubernetes - getting connection refused error

Related topics